Early on Thursday morning, negotiators from the European Parliament and the Council struck a provisional agreement on the AI Omnibus, a legislative package intended to simplify the bloc's artificial intelligence rules. The process, however, was anything but straightforward. Discussions were marked by sharp disagreements over the package's ambition, last-minute proposals to exempt certain machinery, legal challenges to the simplification effort itself, and fears that the Omnibus could undermine the original AI Act.
While key negotiators celebrated the outcome, doubts linger. Critics argue that EU lawmakers could have done more to help European businesses navigate a regulatory landscape that many are not prepared for, despite investments in AI service desks, ambitious statements about simplification, and plans for regulatory sandboxes.
A Modest Outcome
The most contentious issue in recent weeks was the proposed exemption for medical devices, toys, lifts, machinery, and watercraft. Some member states accused Germany of failing to collaborate in a timely manner, leading to an imperfect result. Under the final agreement, AI Act provisions that overlap with sectoral rules will only be removed for machinery products—a far more modest outcome than initially expected. For medical devices, toys, lifts, and watercraft, overlaps will be addressed through implementing acts, which often arrive long after the problems they are meant to solve.
Negotiators also agreed to narrow the definition of “safety component” and to allow personal data processing to detect and correct biases in both high-risk and non-high-risk AI systems. A welcome development is the extension of small and medium enterprise (SME) exemptions to small and mid-caps—companies with up to €200 million in turnover—a move that could practically support the EU's tech scale-ups.
In response to recent incidents involving AI-generated nudification content, stricter rules will apply to AI systems capable of creating child sexual abuse material or non-consensual deepfake nudity and sexually explicit content. These systems must comply by December 2, 2026.
Deadlines for high-risk AI rules have been pushed back: standalone high-risk systems must comply by December 2, 2027, and high-risk systems embedded in products by August 2, 2028. The grace period for watermarking AI-generated content was shortened, moving from February 2, 2027, to December 2, 2026. The deadline for AI regulatory sandboxes has also been delayed, from August 2, 2026, to August 2, 2027, amid criticism that the sandbox framework is too limited and overly focused on soft measures.
Eyes on the Digital Omnibus
While the Council and Parliament must still formally approve the AI Omnibus, attention is now shifting to the second leg of the EU's simplification efforts: the Digital Omnibus package, which centers on AI development and data. The Central European AI Chamber, alongside 15 other associations including the Consumer Choice Center Europe, has published an open letter urging member states to correct course on what they see as watered-down Digital Omnibus proposals. The letter calls for a better balance between data protection and the EU's broader strategic goals, such as innovation and economic growth, arguing that the current compromise texts move in the opposite direction.
Key debates in the coming months will likely focus on three areas: the definition of personal data (or what does not constitute personal data after sufficient pseudonymization); AI-related processing exemptions under the legitimate interest basis (Article 88c); and the incidental processing of sensitive data (Article 9(5)). The signatories stress that the European Commission's initial proposals on pseudonymization and AI-related exemptions were pragmatic, whereas the current draft reverses course and returns to the status quo. Without clear distinctions, companies and researchers remain exposed to fragmented interpretations across member states, forced to rely on the European Data Protection Board's (EDPB) guidelines, which prioritize data protection but are not designed to promote economic growth and innovation.
The scope of scientific data for AI development is also being narrowed, according to the letter, which contradicts the EU's ambition to bridge the gap between its strong research base and weak commercialization muscle. The signatories call for a broad, clear, and binding definition to ensure predictable rules for both public- and private-sector R&D.
Finally, the Digital Omnibus proposes a new mechanism (Article 88b) to replace the notorious “cookie fatigue,” but critics warn it risks creating further consent chaos, worsening the consumer experience, and failing to meet GDPR requirements for specific and informed consent. As the EU navigates these complex negotiations, the outcome will have significant implications for the continent's digital economy and its ability to compete globally. For more on the EU's digital rulebook, see our analysis of the Digital Markets Act two years on.
